The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action.

The most-discussed section of the executive order on cybersecurity is the one that directs the attorney general, secretary of the Department of Homeland Security and the Director of national Intelligence to establish an information-sharing program that will produce unclassified reports on "cyber threats to the U.S. homeland that identify a specific targeted entity." However, this is not the broad, two-way sharing of attack and threat data between the government and the private sector that some in the security community had been pushing for. Rather, it's a program designed to let intelligence agencies and the DHS take some of the data they gather on current attacks and notify targeted agencies about the attacks.

The executive order focuses almost exclusively on the threats facing critical infrastructure providers, both inside and outside the government, and discusses the need for better data on those threats and coordination among the entities responsible for running them. To that end, the order requires that DHS and the intelligence community figure out a method for disseminating classified threat information to those critical infrastructure providers. However, it does not provide a mechanism for getting that information to other, private-sector companies that may be targeted by the same kind of attacks.

"The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports," the executive order says.

The other major section of the order lays out the need for a voluntary risk-management framework designed to reduce vulnerabilities in critical infrastructure organizations such as utilities, government agencies and others. The framework "shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks," the order says, and there are no provisions in the document that require compliance with the framework's provisions. Instead, the government will establish a voluntary program to promote the adoption of the framework.

The issuance of the executive order comes nearly 10 years to the day after the publication of the National Strategy to Secure Cyberspace, a document developed in the aftermath of the Sept. 11 attacks that was meant to lay out a road map for how the government, businesses and users could help improve security. At the time of its release on Feb. 14, 2003, the document was criticized heavily by security experts who saw it as being too weak and lacking any direct action. Much of that initial strategy discussed the need for better information sharing, more data on attacks and threats and better security at critical infrastructure facilities, as well.------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I'm in class tomorrow for something Information Assurance related, maybe we will be able to discuss the Executive Order tomorrow.

There's a natural inclination for people at the end of each year to look back, take stock and try to draw some grand meaning or life lessons out of the events of the past 12 months. This is a particularly risky and difficult thing to do in the security industry, given its inherent unpredictability and chaotic nature. That doesn't stop people from doing it, mind you, it just makes the process more difficult and often more humorous. The weird thing about 2012, though, is that it turned out to be one of those years that may well end up marking a turning point for consumers, enterprises and governments around the world.

The biggest shift in 2012 was the emergence of state-sponsored malware and targeted attacks as major factors. The idea of governments developing and deploying highly sophisticated malware is far from new. Such attacks have been going on for years, but they've mainly stayed out of the limelight. Security researchers and intelligence analysts have seen many of these attacks, targeting both enterprises and government agencies, but they were almost never discussed openly and were not something that showed up on the front page of a national newspaper.

That all changed in 2010 with the discovery of the Stuxnet worm, which targeted the nuclear enrichment facility at Natanz in Iran. That attack made international news and started conversations in Washington, London and around the world about who deployed the worm and about the propriety of using such malware to go after the assets of foreign governments, regardless of their political alignment.

That conversation grew louder and more contentious in 2012 with the emergence of a number of new cyberweapons, including Flame, Gauss, Mini-Flame and Shamoon. Researchers believe that several of these tools are connected and may have been written by the same team and use some of the same code and modules. For the most part, these tools have been designed to steal sensitive data, conduct surveillance on victim networks and give the attackers a hidden presence on those systems. Shamoon was the exception to this rule, wiping data from target systems and rendering many of them useless.

Shamoon's destructive tendencies confused researchers for a while, as there doesn't seem to be much upside in destroying the data on machines that you're targeting. That is, of course, unless the attackers had no interest in stealing any of the data on the target network and simply wanted to make a statement by trashing the systems instead and causing major headaches for the security team on the other end. And that's what ended up happening, at least to the one major known target, oil giant Saudi Aramco. The attack on Aramco destroyed data on more than 30,000 machines and took the company weeks to recover from.

The kind of targeted attacks in which cyberweapons such as Flame and Shamoon are used are relatively rare and almost exclusively hit major corporate or government networks. But that doesn't mean that they don't have consequences for consumers, as well. Attackers routinely go after banks, ISPs and other companies and those attacks can have major repercussions for consumers. There has been a series of high-powered and highly disruptive DDoS attacks against several major banks over the last few months, some of which have taken banks' sites offline for hours at a time.

The attacks have reached the point where the Office of the Comptroller of the Currency is warning banks about the campaign and recommending that they look at their risk-management plans to ensure that they have quality mitigations in place. The major banks, of course, have layers of defenses in place, but that only goes so far against a determined attacker, as many other enterprises are finding out these days.

The question now is what 2013 has in store. It's no reach to say that there will be more Stuxnet or Flame-style attacks in the coming year. It's as sure a bet as there is, the kind of lock that Vegas bettors dream about. A five-star lock. The attacks are going on all the time, 24 hours a day, on sensitive networks around the world. Attackers are vacuuming up data by the terabyte and handing it over to their bosses or backers and then moving on to the next assignment.

What's far less certain is how many of these attacks will come to light. Researchers hit the jackpot in 2012 with several juicy new cyberweapons to sink their teeth into and they made a lot of headway in understanding the methods and techniques of these types of attackers. But that knowledge and intelligence has a limited shelf life. Attackers shift tactics often, responding to changes in defensive methods or advances in research. Attacks that are going on right now and may be discovered weeks or months down the road could include components that have never been seen before. The hash collision developed by the attackers behind Flame is a perfect example.

So 2013 likely will look a lot like 2012, only more so. More sophisticated attacks, more novel techniques and more targets. Whether those attacks bubble up to the surface remains to be seen, but if they do, expect to see the rhetoric and hand-wringing ratchet up a few notches. It's the natural progression. If we learned anything in 2012, it's that attacks only get better.

1943-1944 HistoryThe digital era jumped ahead with the creation of Colossus, the first programmable digital machine. Though limited compared to later computers, Colossus played a pivotal role in code breaking during World War II. In effect, the British developed the first digital machine to hack German codes.

The National Museum of Computer: ColossusColossus: The first large-scale electronic computer

1961-1962 HistoryKey steps in the history of global computer networks came when Leonard Kleinrock at MIT published the first paper on packet switching theory in July 1961, and the next year when J.C.R. Licklider, also at MIT, wrote a series of memos spelling out his ideas for a "Galactic Network" in which people could access data from anywhere.

Internet Society: Origins of the Internet

1967-1969 HistoryThe Advanced Research Projects Agency, later known as DARPA, accelerated work on what was initially dubbed ARPANET and eventually came to be known as the Internet. The first ARPANET message was sent at 10:30 p.m. on Oct. 29, 1969.

1971 HistoryIntel released the first integrated microprocessor, a major leap forward in the history of the computer. It had 2,300 transistors and processed 60,000 instructions per second.

1982 HackNational security officials in the United States launched one of the world's first cyberattacks on another country: the Soviet Union. U.S. officials heard, through a KGB source named Farewell, that the Soviets intended to buy computer equipment through a front company to operate a gas pipeline. U.S. agents altered the software, which later caused the pipeline to explode.

CIA: The Farewell DossierAt the Abyss: An Insider's History of the Cold War (book)

1986-1987 HackIn 1986 and 1987, a physics researcher at the University of California at Berkeley uncovered a global hack of academic, military and government computers in the United States. Chronicled later in the book “The Cuckoo's Egg,” it was the first investigation of its kind, and it revealed online hacker threats spread around the globe.

Wikipedia: The Cuckoo's Egg

1988 HackThe first "worm" attack occurred on the Internet. A Cornell University student named Robert Tappan Morris released several dozen lines of code, which replicated wildly and hit thousands of computers hard. It stopped about 10 percent of the 88,000 computers linked to the Internet at the time.

The What, Why, and How of the 1988 Internet WormCERT: Security of the Internet

1990 HistoryARPANET became an operation network known as the Internet. About 2.6 million people around the globe had access.

1994 HackAnonymous hackers repeatedly attacked the Air Force's Rome Laboratory in New York, underscoring the threat to military systems. Investigators discovered that a British teenager and an Israeli technician had used phone systems and networks in eight countries to cloak their attacks on numerous military and government computer systems.

1997 HackThe Pentagon's first "information warfare" exercise, known as Eligible Receiver, found that industrial and information systems throughout the United States are vulnerable to cyberattacks from hackers using readily available technology and software. Specialists said it appeared as though simulated attacks on power and communications networks in Oahu, Hawaii; Los Angeles; Colorado Springs, Colo.; Washington, D.C.; and elsewhere succeeded with ease.

Congressional Research Service report (PDF): Cyberwarfare

2003 HistoryThe amount of digital information created by computers, cameras and other data systems this year surpassed the amount of all information created in human history, according to studies by International Data Corp. and EMC.

November 2003 HackHackers apparently supported by China attacked military and government systems in the United States with impunity, making off with terabytes of data. The attacks were dubbed Titan Rain by officials in the United States.

Washington Post: Hackers attack via Chinese Web sites

May 2007 HackDuring a dispute between Estonia and Russia, hackers launched massive attacks on Estonian government agencies, banks, newspapers and other organization, using networks of computers to shut down Estonian systems online. Some analysts, blaming Russia, asserted the attacks represent one of the first instances of cyberwar.

Wired: Kremlin Kids: We launched the Estonian cyber war

2008 HistoryCyberspace accelerated its expansion, with the number of devices connected to the Internet exceeding the number of people on Earth for the first time. That number hit an estimated 12.5 billion in 2010, according to a researcher at Cisco who predicted it will rise to 50 billion in 2020. Hundreds of millions of new Internet users also sign on, many millions of them via mobile phones and other portable devices.

November 2008 HackThe most significant breach of U.S. computer security occurred, apparently when someone working with the Pentagon's Central Command inserted an infected flash drive into a military laptop computer at a base in the Middle East. The case was code named Buckshot Yankee. "The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," a senior U.S. official later wrote in Foreign Affairs magazine.

Washington Post: Cyber-intruder sparks massive federal response

March 2009 HackCanadian researchers identified a Chinese espionage network operating on government computer systems in 103 countries, making it the largest operation of its kind ever publicly identified. The researchers dubbed the system GhostNet.

New York Times: Vast spy system loots computers in 103 countries

December 2009 HackCommunications links with U.S. drones were hacked by Iraqi insurgents, who used laptop computers and inexpensive software. The hack apparently enabled the insurgents to see video images the drone was recording.

January 2010 HackGoogle announced that it and dozens of other companies were the focus of a "highly sophisticated and targeted attack" originating from China. The attack resulted in a huge amount of data being stolen. It was later dubbed Operation Aurora.

February 2010 HistoryThe number of Internet users topped 2 billion. The Defense Department said that although "it is a man-made domain, cyberspace is now as relevant a domain for DoD activities as the naturally occurring domains of land, sea, air and space.”

July 2010 HackResearchers discovered the most sophisticated cyberweapon ever to be made public. A "worm" known as Stuxnet, it was designed to seek out certain industrial control systems made by Siemens. Stuxnet took advantage of four zero-day vulnerabilities and appeared to be targeted at a uranium enrichment program in Iran. Specialists said it appeared to have a devastating effect, destroying or damaging hundreds of centrifuges. The New York Times reported that President Obama approved the operation as part of a secret U.S.-Israeli cyberwar campaign against Iran begun under the Bush administration.

November 2010 HistoryA group of the nation's top scientists concluded in a report to the Pentagon that "the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well." The scientists, part of a Pentagon advisory group called JASON, said, "Our current security approaches have had limited success and have become an arms race with our adversaries. In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber-security."

May 2011 HackSony told Congress that hackers had penetrated the PlayStation network, stealing or misusing the personal information of at least 77 million users. Sony estimated that fallout from the hack cost at least $170 million. It appeared as though criminals masqueraded as members of the anarchist-activist group known as Anonymous.

March 2012 HackGen. Keith Alexander, commander of U.S. Cyber Command, blamed China for taking "astounding" amounts of intellectual propery and for the hack last year of security giant RSA. In testimony before a congressional panel, Alexander hinted at military reprisals. "We reserve the right to use all necessary means — diplomatic, informational, military, and economic — as appropriate and consistent with applicable international law," Alexander testified.

Nicole Katz is a mother and one of 4.3 million Americans who pay annual dues to the National Rifle Association.

She owns two shotguns — one for home protection and the other to defend her place of business.

Each of her three daughters — ages 9, 11 and 15 — has been given gun-safety training. They have gone skeet shooting together. Target practice is fun for the whole Katz family.

However, there are no video games in Katz’s Yorktown home. The kids are not allowed to have televisions in their bedrooms. Or computers.

The middle daughter was denied an iPhone, something she badly wanted for Hanukkah.

“I’m not going to get my kids unlimited Internet access all day long, whenever they want,” Katz said the other day. “I just don’t think it’s a good thing.”

By any modern definition, Katz is a strict, no-nonsense mom.

But she does not believe in stricter gun laws. The hue and cry for legislative action in the wake of the Sandy Hook Elementary School shootings does not shake her resolve — even though the tragedy hit close to home.

Nearly a decade ago, she and her husband, Assemblyman Steve Katz, planned to move to Newtown, Conn.

“We had an accepted offer on a house that we loved and were about to sign off on the paperwork,” she recalled. “I changed my mind at the last minute because it would’ve added a lot of time to my commute.”

It was a fateful decision. Had they made the move, Katz said, “my kids would’ve been in the school on Friday.”

“It’s unfortunate that when a horrendous tragedy like this happens, people tend to act out of emotion instead of thoughtfully considering all the facts,” she said. “It’s easy to blame guns, but that doesn’t address the root cause of the problem.”

She offered the oft-repeated argument that guns don’t kill people, people kill people — and most of the rampage killers are people with mental illnesses.

“Violence has to be treated holistically,” she said. “In the past 20 years, what we’ve seen with these mass shootings is a common thread — they’re all young male loners who were anti-social, disengaged from society. They kept to themselves. Very often, they spent hours alone in their rooms, playing violent video games.”

(Page 2 of 2)These young males, she suggested, were stunted, angry and coiled to kill. What’s needed, she said, is raising the national consciousness so that the warning signs are spotted earlier.

“I know that in our own state, mental health services have been cut,” Katz said. “The parents of these children with psychiatric issues are overwhelmed. They’re not equipped to handle it. They can’t afford to get them the help they need, so it’s a big problem.”

By all accounts, Adam Lanza’s mother, a woman who owned six guns and was living on high alimony payments, certainly had enough financial wherewithal to get her troubled son the best professional care.

“She obviously was aware that her son had mental or behavioral issues and I question why she would not have those weapons secured,” Katz said. “I don’t understand it.”

We may never understand it.

Katz said she supports anyone who wants a gun to get one as long as they pass the required background check, were free of mental illness, broke no laws and passed a safety training test. In light of Sandy Hook, she conceded that a background check should include looking into the mental health history of family members.

New gun restrictions?

“All the gun control legislation in the world is not going to stop a criminal from obtaining guns,” she said.

Katz is fighting against an inexorable tide. It is impossible to see how the massacre of 26 people — 20 of them small children — will pass without a serious review and overhaul of firearm regulations and without an examination of how the widespread availability of guns continues to fatally intersect with mental illness.

Give Katz some credit, though. She is nothing if not consistent. I asked for her opinion because I knew she wouldn’t shy away from the discussion, unlike NRA officials who have suddenly become scarce.

She’s been in the public eye before and fully backed her husband last summer when he held a controversial campaign fundraiser at a security training center where guests were invited to partake in target shooting. The event was held two weeks after the killings at a movie theater in Aurora, Colo.

On Wednesday, Katz went to Woodbury, outside of Newtown.

Word got out that members of the anti-gay, anti-Semitic Westboro Baptist Church were planning to picket the funeral of Dawn Hochsprung, the Sandy Hook principal. Presumably, Westboro’s venomous aim was to declare that the shootings were God’s retribution for the sins of gay marriage, or something like that.

It seems that only bilious fools can provide certain answers to the mystery of evil.

On her Facebook page, Katz offered to take anyone along who would help her provide a “human shield” to block the Westboro crackpots from the view of people attending the funeral.

At the end of the day, the picketers did not show up. Katz claimed on Facebook that they saw the crowd and backed down.

“We did our job and we did it peacefully,” she said.

These young males, she suggested, were stunted, angry and coiled to kill. What’s needed, she said, is raising the national consciousness so that the warning signs are spotted earlier.

“I know that in our own state, mental health services have been cut,” Katz said. “The parents of these children with psychiatric issues are overwhelmed. They’re not equipped to handle it. They can’t afford to get them the help they need, so it’s a big problem.”

By all accounts, Adam Lanza’s mother, a woman who owned six guns and was living on high alimony payments, certainly had enough financial wherewithal to get her troubled son the best professional care.

“She obviously was aware that her son had mental or behavioral issues and I question why she would not have those weapons secured,” Katz said. “I don’t understand it.”

We may never understand it.

Katz said she supports anyone who wants a gun to get one as long as they pass the required background check, were free of mental illness, broke no laws and passed a safety training test. In light of Sandy Hook, she conceded that a background check should include looking into the mental health history of family members.

New gun restrictions?

“All the gun control legislation in the world is not going to stop a criminal from obtaining guns,” she said.

Katz is fighting against an inexorable tide. It is impossible to see how the massacre of 26 people — 20 of them small children — will pass without a serious review and overhaul of firearm regulations and without an examination of how the widespread availability of guns continues to fatally intersect with mental illness.

Give Katz some credit, though. She is nothing if not consistent. I asked for her opinion because I knew she wouldn’t shy away from the discussion, unlike NRA officials who have suddenly become scarce.

She’s been in the public eye before and fully backed her husband last summer when he held a controversial campaign fundraiser at a security training center where guests were invited to partake in target shooting. The event was held two weeks after the killings at a movie theater in Aurora, Colo.

On Wednesday, Katz went to Woodbury, outside of Newtown.

Word got out that members of the anti-gay, anti-Semitic Westboro Baptist Church were planning to picket the funeral of Dawn Hochsprung, the Sandy Hook principal. Presumably, Westboro’s venomous aim was to declare that the shootings were God’s retribution for the sins of gay marriage, or something like that.

It seems that only bilious fools can provide certain answers to the mystery of evil.

On her Facebook page, Katz offered to take anyone along who would help her provide a “human shield” to block the Westboro crackpots from the view of people attending the funeral.

At the end of the day, the picketers did not show up. Katz claimed on Facebook that they saw the crowd and backed down.

Not that I am advocating the illegal activity, just posting as possible confirmation to the article I just posted.-----------------------------------------------------------------------------------------------------------------------------------------------------

Group claims hacked subscriber database of NY newspaper which published gun permit mapPosted by William A. Jacobson Tuesday, January 1, 2013 at 8:05pm The Lower Hudson Journal News, a Gannett newspaper, caused controversy when it published a map of names and addresses of gun permit holders, and announced that it planned to do so again. The plan for further publication may be in doubt as a neighboring county just announced it was denying the Journal News access to its gun permit database.

In protest, bloggers posted the home addresses and telephone numbers of Journal News editors and staff. Also cirulating was the personal and family contact information for the Chairwoman of Gannett.

The Journal News has hired armed guards for its offices, according to Politico, because of threats.

This privacy war has just escalated dramatically, as a group of self-described ”2nd Amendment supporters” claims it has downloaded and posted on the web what it describes as the “user” database of the Journal News.

Twitter users claim the list is being widely circulated. Although the links are easily available, I’m not including links to any of the websites containing the alleged database for the same reason I did not provide the personal information sent to me about Gannett’s Chairwoman.

At least two tweets (only one of which is imaged here) disclosing this development were copied to the Journal News account, @lohud:

Twice today I reached out to the Publisher and Editor of the Journal News, asking whether they were aware of this, whether they verified the information, what they were doing about it, and what their position was. This obviously is important because the users and subscribers of the Journal News website may not be aware that their personal information has been compromised.

Despite being told by a person in the newsroom that the Editor was checking her emails, I have heard nothing from the Journal News.

Now it is the advertisers and readers of a New York newspaper who are caught in the crossfire, after its controversial decision to publish the names and addresses of gun owners in its community.

The initial story by the Westchester Journal News on Dec. 22 prompted a bitter backlash by gun advocates, who published the names and addresses of some of the newspaper’s staff. Since then, supporters and critics of the newspaper's controversial stand have been taking potshots at each other in a near-daily exchange that has drawn national attention.

"The Journal News has made no credible case, nor offered any valid reason, for releasing the data."- New York State Rifle & Pistol Association

“The data posted also includes active and retired police officers, judges, battered and stalked individuals, FBI agents, and more," the New York State Rifle & Pistol Association said in a release that marked the latest escalation. "The Journal News has made no credible case, nor offered any valid reason, for releasing the data, and it serves no investigative or journalistic purpose. It merely invites harassment and burglary.”

The association is calling for a possible boycott of the Gannett-owned newspaper's national advertisers. But the paper isn't just worried about suffering economic harm. On Dec. 28, it began posting armed guards outside one of its offices, according to local police, shortly after a blogger published the names and home addresses of the 50 journalists who worked on the interactive map showing who owned legally-registered guns.

And the battle shows no signs of subsiding. Hackers claim to have broken into the Journal News' online subscriber database and say they're circulating passwords and user information for 10,000 account holders. They have also made online threats to publish the home addresses and phone numbers of executives at the newspaper’s major advertisers.

One New York lawmaker said he plans to introduce legislation making it illegal to obtain gun permit holders’ information through Freedom of Information Act requests, which is how the Journal News obtained the permit holders’ information used to create their controversial online database.

“The Journal News has placed the lives of these folks at risk by creating a virtual shopping list for criminals and nut jobs,” said Republican State Sen. Greg Ball, in announcing his intent.

There is one apparent beneficiary of all the controversy: The paper's competitor, the Rockland County Times, claimed in an article to have seen an "influx of new subscribers who stated they canceled their subscription to the Journal News due to the gun story.”

More than 150 Utah teachers, school workers attend concealed weapons class Connecticut shooting » Class more popular now than ever. By lisa schencker| The Salt Lake TribuneFirst Published 42 minutes ago • Updated 1 minute ago More than 150 Utah teachers and school workers took time off from their winter breaks Thursday to attend a free class on how to carry concealed weapons and respond to mass violence such as the recent shooting in a Connecticut school.

It’s a course that’s been offered to Utah educators for more than a decade, but Thursday it attracted about 10 times as many people as usual, said Clark Aposhian, an instructor with Fairwarning Training and a chairman of the Utah Shooting Sports Council, which hosted the class with OPSGEAR. Aposhian said organizers had to turn away about 40 or 50 people for lack of space.

Photos

Join the Discussion Post a Comment Read All Comments (5) He credited the course’s sudden popularity to increased media attention on the class and its timing, coming just weeks after a gunman’s massacre at a Newtown, Conn., elementary school killed 20 children and six adults.

Aposhian said parents and school employees in Utah and across the nation felt "utterly helpless" when they saw the tragedy that unfolded in Newtown.

"We want to give school employees one more option to protect themselves and their students," Aposhian said of the class, which went over the basics of how to respond to an attack, carrying concealed weapons and applying for concealed weapon permits.

"You’re never going to get all the mentally and criminally insane people off the streets, and you’re never going to be able to disarm all the criminals, so logically what do you do?"

Utah is one of two states that already allows concealed weapons permit holders to carry firearms on school grounds. The other state is Kansas.

The class came about a week after the National Rifle Association called for armed police officers in every school, and at least one Utah lawmaker, Rep. Curt Oda, R-Clearfield, asserted that more armed teachers would make classrooms safer.

Those positions have garnered much controversy in Utah and across the country. The nation’s two largest teachers unions, the American Federation of Teachers and the National Education Association, have said that arming educators won’t improve school safety and that "guns have no place in our schools." The groups have instead called for a renewed focus on bullying prevention, mental health services and gun control.

But educators who packed a conference room at the Maverik Center on Thursday had a decidedly different view."When you are in a building full of kids all day anything can happen," said Kelli Stebbins, a technology teacher at East Midvale Elementary. She said it’s not realistic to think that a attack like the one in Connecticut couldn’t happen here.

"It can happen, and it will happen, and I’d rather be on the prepared side than the not-prepared side," Stebbins said.

Richard Summers, a sixth-grade teacher at Copper Hills Elementary in Magna, said after the shooting some of his students asked him what he would have done in that situation. He said he would have given his life to help them. Several of those who died in Connecticut were educators protecting their students.

"Certainly the incident in Connecticut," Summers said, "makes us want to be aware and know what to do."

Rachel Bateman, a fourth-grade teacher at Early Light Academy in South Jordan, said she also attended the class because she wanted to be prepared. Part of the course included instruction in awareness and other ways to respond to classroom attacks, such as gouging an attacker’s eyes, choking an attacker and how to hide.

Bateman said she hadn’t yet decided Thursday whether she would want to carry a gun in the classroom.

"I want to be able to protect my kids, my students, and people in the building, but on the other hand, different variables come with concealing a weapon," Bateman said, noting she might be worried, for example, that a student would feel a gun while hugging her.

Teachers weren’t the only ones to take advantage of the free class Thursday. Administrators, bus drivers, secretaries and others were also among those taking notes.

"If anything were to happen, I’ve got a large responsibility," said Scott Huntington, a custodian at Shelley Elementary in American Fork. "I don’t have just a single classroom. I’ve got the whole school to think about."

Photos

Join the Discussion Post a Comment Read All Comments (5) Alpine School District bus driver Greg Lewis said he’s always wanted a permit, and he’d likely carry a gun on his bus if district policy allows it.

And Julie Wootan, a front office receptionist at Paradigm High in South Jordan, said she’s also been wanting a permit for a while and the events of this month encouraged her to finally get it.

"We’re the first place where they would walk by," Wootan said of her position in the front office. She said school employees should always be allowed to protect those around them.

Those who led the course Thursday emphasized that whether those in attendance pursued concealed carry permits or not, just by attending they were becoming more aware of how to protect themselves.

"This is definitely a message that you in the education program are definitely sending to not only our legislature, to our local government," Bill Pedersen, a board member with the Utah Shooting Sports Council, told those in attendance, "but to all those around the states."

Aposhian said the class will likely be offered again during the next school break.

I just read through some of the comments, its pretty sad of course. It kind of make me wonder if the uneducated will eventually turn their eye to Martial Arts \ Artist. I know it probably wont happen but these people are afraid of legal gun owners and some people seem to consider them more of a threat than illegal gun owners.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------CNN) -- An interactive map showing the names and addresses of all handgun permit holders in New York's Westchester and Rockland counties has infuriated many readers since it was posted Saturday on a newspaper's website.

The map, published by The Journal News, allows readers to zoom in on red dots that indicate which residents are licensed to own pistols or revolvers. It had prompted more than 1,700 comments as of Wednesday morning.

Blue dots indicate permit holders who "have purchased a firearm or updated the information on a permit in the past five years."

"So should we start wearing yellow Stars of David so the general public can be aware of who we are??" one commenter wrote.

"This is crazy!" wrote another.

Fiery debate over guns in America Gun control and the 2nd Amendment Fareed's Take: Gun control Opinion: Guns endanger more than they protect

Some of those responding threatened to cancel their subscriptions or boycott the publication.

"I hope you lose readers now," one wrote.

The paper's publisher, Janet Hasson, president of the Journal News Media Group, defended the decision in a statement Wednesday.

"One of our roles is to report publicly available information on timely issues, even when unpopular. We knew publication of the database (as well as the accompanying article providing context) would be controversial, but we felt sharing information about gun permits in our area was important in the aftermath of the Newtown shootings," she said.

The newspaper also said it had wanted to publish even more information.

"We were surprised when we weren't able to obtain information on what kinds and how many weapons people in our market own," the newspaper said in a statement.

County clerks' offices had told the paper that "the public does not have the right to see specific permits an individual has been issued, the types of handguns a person possesses or the number of guns he or she owns," the statement said. "Had we been able to obtain those records, we would have published them."

The map came about in the wake of the massacre in Newtown, Connecticut, The Journal News said.

"In the past week, conversation on our opinion pages and on our website, LoHud.com, has been keenly focused on gun control," the newspaper's editor and vice president, CynDee Royle, said in a statement Tuesday.

The names and addresses of the two counties' permit-holding residents were obtained through the Freedom of Information Act. The website notes that the map does not indicate whether the residents own handguns, only that they are legally able to, and that the data do not pertain to rifles or shotguns, which can be bought without a permit.

NRA doubles down: New gun laws won't work

Still, hundreds of residents were shocked to see their information posted without their being notified. Some said the map would prompt burglaries because thieves are now aware of where weapons might be found.

"Now everyone knows where the legal guns are kept, a valuable piece of information for criminals," a commenter wrote. "Why don't you do something helpful, like trying to find out where the illegal guns are kept?"

A great majority of readers commenting at CNN.com were opposed to the newspaper's move, but some defended it on the grounds that the public has a right to know who might own weapons.

One commenter wrote: "If you're a gun owner it's a matter of public record. If you're embarrassed by your gun, get rid of it. I have a car and a house -- they're no secret. People contact me all the time trying to sell me stuff. I don't expect a right to privacy for these things."

Another wrote, "Every gun manufactured, transferred, and sold should be on the internet, all on one website, including date of purchase, current owner, stored location, and gun license number."

Several Twitter commenters also came out in support in tweets to CNN:

-- "The gun permit maps are an effective way of showing how horribly widespread gun ownership is."

-- "please thank them. This could be a turning point. I do not want my daughter playing in a house with guns."

-- "LOVE the Gun License map! Excellent information to anyone concerned with who they live around!"

The Journal News argued that residents have a right to access information regarding weapon holders in Westchester and Rockland communities.

"Our readers are understandably interested to know about guns in their neighborhoods," Royle said in her statement.

In an article about the uproar, The Journal News says many of the thousands of people who "have taken to their computers and phones in rage" live outside the counties covered by the map.

In searching through hundreds of comments listed on the website, CNN did not immediately see any in support of the newspaper's decision to publish the interactive map.

The Journal News said it published an article in 2006 that received similar responses, but this time around, social media spread the story far and wide.

In 2007, roanoke.com, the website of The Roanoke Times, published a list of Virginians licensed to carry concealed weapons, and then deleted it the next day. The paper explained that the list, originally published as part of an opinion column, was removed "out of concern that it might include names that should not have been made public."

The Poynter Institute, a school for journalists, notes that some other news agencies have published various types of databases as well.

"Publishing gun owners' names makes them targets for theft or public ridicule. It is journalistic arrogance to abuse public record privilege, just as it is to air 911 calls for no reason or to publish the home addresses of police or judges without cause," Al Tompkins, a Poynter senior faculty member, said in a statement Wednesday. "Unwarranted publishing of the names of permitted owners just encourages gun owners to skip the permitting."

US Defense Secretary Leon Panetta last week said that a recent campaign of cyberattacks on Middle East oil and gas companies "was probably the most destructive attack that the private sector has seen to date." While Panetta did not say that Iran was involved in those attacks, he did note that Iran is trying to "gain an advantage in cyberspace" and warned those who would consider launching cyberattacks against the US that the US is prepared to take action.

[Editor's Note (Assante): One must not lose sight of the big picture when considering the consequences of all cyber attacks on our productivity, competitiveness, and national security. The challenge with the emerging attacks referred to by the Secretary of Defense is in the development of doctrines that are flexible enough to apply the right response to manage the death by a thousand cuts while deterring specific attacks that can directly impact economic and nation security. Cyber defense is a job too big for any one organization we all play an important part in safeguarding our information and critical systems.

(McBride): McBride: The tone of Panetta's comments appears to support a stance of deterrence. He well might have said "the U.S. is prepared to take offensive or retaliatory action if and when it can positively attribute highly-destructive attacks to another nation-state." On the other hand, the tone of the comments does not build confidence that the U.S. is prepared to defend and restore. That makes his plea to executives of firms that own and operate critical infrastructure all the more imperative.]

--Flame Relative is a "High-Precision, Surgical Attack Tool"(October 15, 2012)Researchers have detected another piece of malware that targets systems used in the Middle East. It is being called mini Flame because it appears to be built on the same platform as the Flame malware, which was detected earlier this year. While Flame focuses on stealing information, miniFlame acts as a backdoor on infected machines to allow attackers access. It also appears to be able to act as a modulefor both Flame and Gauss, lending more credence to the theory that the two pieces of malware are related. miniFlame can download files froma command-and-control server. It is being called a "high-precision, surgical attack tool."

[Editor's Note (McBride): From an analytical perspective the fact that a sinkhole designed for Flame found miniFlame is a nice windfall (but not necessarily great opsec). Is the fact that Kaspersky continues to find state sponsored malware (allegedly belonging to the United States) surprising - or is the awe wearing off? Is it concerning that the U.S. appears to be a leader in offensive cyber operations? Is the real difference between APT and APF (advanced persistent friendliness) summed up in the amount of trust you have for the motives of the sponsoring nation-state?

An adviser to Republican presidential nominee Mitt Romney says that part of the former Massachusetts governor’s debate strategy on Tuesday night will be to ask President Barack Obama to “man up” and “accept his responsibility” for the terrorist attacks in Libya.

“There should be an effort to get transparency from President Obama on what he knew and when he knew it,” Romney foreign policy adviser Amb. William Richardson told Fox News host Bill Hemmer on Tuesday. “This was evidence that his so-called success on the war on terror wasn’t so successful. Targeted killings alone can not solve this problem.”

“This helps provide a choice to the American people between more of the same and strong, optimistic, bold leadership under President Romney.”

He continued: “I think Gov. Romney will, quite properly, be asking questions, probing. And trying to ask the president to man up, accept his responsibility and explain to the American people the failure that resulted in four American deaths.”

If Richardson’s preview of Tuesday night’s debate is correct, it could signal part of a broader tactic of subtlety questioning the president’s manhood.

During the first debate, Romney had compared the president to his sons when they were “boys” and didn’t tell the truth.

Last week, one of Mitt Romney’s son even likened Obama’s debate performance to “an obstinate child.”

“I don’t know if you guys saw the debate last week,” Josh Romney told a crowd in Van Meter, Iowa. “I take a lot of pride in that, because — I don’t know if you noticed, but I was — me and my brothers were responsible for my dad doing so well. We were the ones, as kids, that kept saying the same thing over and over. And we’d say the same lie over and over. And my dad learned then, not to believe it. While we didn’t go to any of the formal debate preparation, we did the real hard stuff.”

“So as a father, he learned how to debate an obstinate child,” the younger Romney added. “We had a lot of fun, we had a lot of fun watching the debate.”

Wow, I was just getting ready to post and ask about the possible dates for the Tribal Gathering? Was just checking flights from Hawaii to LA and the prices are really good right now, LOL. I understand it takes some time to figure out. Not sure what will be required of me, the last gathering I attended was the spring gathering at The Monster Garage with Kahuna Dog. Maybe I can get DogZilla to put in a good word for me.

There is a Bandalan school here in Hawaii. I do not have any personal experience with their system they kind of stick to their own, I know one of the guys from the Hawaii group is a WEKAF champ who participated in contests in the PI. I have some interaction with the student and they are good peeps. Sorry I couldn't provide any useful info.

Black Hat33 Iranians have mounted a series of denial-of-service attacks over the past year that target major US banks and other companies, according to two published reports that cite unnamed US officials.

The reports, published on Friday by The Washington Post and Reuters, came a few days after websites for both Bank of America and JPMorgan Chase experienced unexplained service disruptions. US Senator Joseph Lieberman, chairman of the Senate Homeland Security Committee, said on Friday that he believes a unit of Iran's Revolutionary Guard Corps is behind the disruptions, but provided no evidence to support the claim. Neither bank has confirmed that the disruptions were the result of attacks, so it's possible equipment failure or other internal causes are responsible.

According to the Washington Post, US officials suspect that Iran was behind similar denial-of-service attacks, which bring websites to a crawl or make them completely unavailable by overwhelming them with garbage traffic. One such attack was carried out in August, and was aimed at disrupting the websites of oil companies in the Middle East "by routing their efforts through major US telecommunications companies, including AT&T and Level 3," the publication reported, citing US intelligence and industry officials. It was the largest attempted DoS attack against AT&T "by an order of magnitude," an industry official said. The sources spoke on condition of anonymity because they weren't authorized to speak to the press.

According to Reuters, Citigroup has also been targeted in the campaigns, which it said are likely in retaliation for their enforcement of Western economic sanctions against Iran. Reuters also said while the attacks originated in Iran "it is not clear if they were launched by the state, groups working on behalf of the government, or 'patriotic' citizens." The attacks may be intended to distract victims from other, more destructive breaches, the news organization added.

Security experts have long said that it's difficult or impossible to determine the origin or source of many DoS and other computer-based attacks. In the absence of technical evidence that supports claims attacks are coming from Iran, it's not possible to verify them.

By Amber CorrinSep 05, 2012In their respective platforms, the Republicans and Democrats each briefly touch on what they both describe as a paramount threat facing the U.S.: cybersecurity. In keeping with the partisan divides that prevented lawmakers from passing cybersecurity legislation this year, each side offers a different – but decidedly familiar – take on the issue.

While neither party goes in-depth in its platform summary addressing cybersecurity, they both include plans that include basic tenets that were part of cybersecurity bills that failed in Congress. While there isn’t much in the way of cyber-policy revelations, there are hints of action that could come – including a possible executive order.

The platforms include a handful of similarities: Both sides recognize the significance of the issue, the importance of collaboration within government and with industry, and the need for investment in cyber research and development.

Like proposed legislation that came before, that’s about where the parallels end.

The Republicans call for a hands-off approach that echoes the SECURE IT Act championed by Sen. John McCain (R-Ariz.) earlier this year. The emphasis is on the public and private sectors working together, allowing for “the free flow of information” between network managers and the within industry. It also places the onus on the government to better protect their own systems.

The GOP platform also takes swipes at the current cybersecurity policies, saying that the Barack Obama administration is “overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression.” The Republican plank criticizes Obama’s approach as “costly and heavy-handed” and says it will “increase the size and cost of the federal bureaucracy and harm innovation in cybersecurity.”

On the other hand, the Democrats’ platform notes some of the cybersecurity steps taken in Obama’s term, and includes vows to continue by investing in research and development, promoting awareness and strengthening public-private partnership.

“The President and the administration have taken unprecedented steps to defend America from cyber attacks, including creating the first military command dedicated to cybersecurity and conducting a full review of the federal government's efforts to protect our information and our infrastructure,” the Democrats’ platform states.

The platform also notes that “going forward, the president will continue to take executive action to strengthen and update our cyber defenses.”

Many, including cybersecurity expert Jim Lewis, say the statement is a strong suggestion of an executive order in the works.

Lewis, director and senior fellow at the Center for Strategic and International Studies, said a presidential directive from Obama likely would aim to compensate for the Congress’s failure to pass legislation protecting critical infrastructure.

But which party’s approach would be more effective? Lewis had criticism for both sides, noting that neither offers any novel ideas.

“The Democratic plank says the right things; it just doesn't say anything new other than the [executive order] hint. The Republican plank also doesn't say anything new, but we know what they propose won't work,” Lewis said, noting that the Republican references to deterrence and information-sharing, among others, are particularly troublesome.

“Cyber deterrence doesn’t work. This is a creaky retread from the Cold War,” he said. As for voluntary information-sharing, central to the Republican approach, “it’s legislation, not regulation, that blocks sharing, and Congress failed to fix it.”

But the Democratic approach could be costly – and not necessarily effective, given the government’s notorious bureaucracy and the rapidly evolving nature of cyber.

“The Democratic platform calls for greater government engagement and involvement, but the imposition of mandates would be less effective because the government is not nimble enough to regulate in this area,” said Paul Rosenzweig, visiting fellow at the Heritage Foundation. “How much would the Democratic platform cost? Nobody knows. The Democrats couldn’t tell you before when [the bipartisan Cybersecurity Act of 2012] was being considered, and the same questions are being asked now.”

Danger within: Insider threatDavid CotrissJuly 02 2012The theft or misuse of corporate assets by a trusted individual poses challenges, but there are strategies and tools to put in place, reports David Cotriss.

How big a problem is the threat from insiders?

“Bigger than most people realize because many times they can't tell if they have an issue,” says Craig Shumard, principal of Philadelphia-based Shumard and Associates, a strategic security consulting firm, and former vice president of security at Cigna Insurance. Insider threats are often under-reported, he says, because companies do not want it known that they've become victims of such attacks. At other times, an enterprise may be unaware it has been compromised.

There's a widely reported mythology that insider-spawned breaches occur far less frequently than external attacks, says James Quin, lead research analyst at Ontario, Canada-based Info-Tech Research Group. When his organization interviewed companies about the issue, the survey found that the accepted wisdom proved not to be true. Quin says that while the prevalence of malicious insider incidents is indeed quite low, erroneous or accidental breaches are “happening with alarming frequency.” That is, although insiders are to blame for some malicious activity, add to that the high rate of employees unintentionally causing a data leakage incident, and the tally for insider culpability mounts.

The problem is exacerbated by the fact that companies are not prepared or equipped to deal with such incidents. “We're finding that organizations don't have an insider threat program in place,” says Dawn Cappelli, technical manager at the Computer Emergency Response Team (CERT) Insider Threat Center, a research-and-development entity at Carnegie Mellon University's Software Engineering Institute in Pittsburgh. CERT is working with the federal government and private companies to design a prevention and mitigation program. Most corporations, she says, are focused on protecting their networks from outside threats, but they don't yet have anyone in charge for insider threat mitigation. This situation must change, with one person given authority and responsibility for dealing with insider threats. To succeed, that person must have the backing of general counsel because of privacy issues, and they must work well with IT and human resources.

Cappelli adds that in last year's “Cyber Security Watch” survey from Deloitte, 46 percent of respondents said insider attacks were more costly to their organization than external attacks. Yet most companies that have purchased software tools that are marketed as internal attack mitigation solutions are using them only to address external attacks.

“What you need to worry about is how to keep your employees happy.”

– Andy Ellis, CSO, Akamai Technologies

While the incidence of insider incidents has stabilized over the past few years, the opportunities have increased because of greater use of third-party contractors, the bring-your-own-device (BYOD) phenomenon, and the co-mingling of personal and business data spurred by the popularity of smartphones and tablets. Today, attacks can be launched at handheld devices, and this vector has become a major source of data leakage. Furthermore, despite all the new tools that have been developed over the past few years, “25 to 30 percent of threats cannot be controlled by technology,” says Shumard.

It is not feasible to completely stop malicious data leakage, agrees Quin. “Technology cannot address everything,” he says. “You can't stop people writing things down with a pencil and a piece of paper.”

As well, privileged users can insert malicious code almost anywhere without it being flagged as anomalous activity, he says. They have the ability to override system controls without detection.

“You can't stop insider threats,” says Andy Ellis, CSO at Cambridge, Mass.-based Akamai Technologies, which provides a platform for conducting business online. “What you need to worry about is how to keep your employees happy. What are you doing for employee retention? A lot of insider threats come from unhappy employees. How do you prevent the trusted insider from doing something that threatens the company?”

For Ellis, the threat fell close to home. Akamai was the victim of a foiled attempt by a former employee to spy on the company. Elliot Doxer pleaded guilty last year to a charge of foreign economic espionage for providing trade secrets to an FBI agent posing, over a two-year period, as an Israeli intelligence officer. When Doxer contacted the Israeli consulate and offered to give it confidential information in exchange for money, the consulate contacted the FBI.To best thwart the malicious attacker, Shumard recommends looking at anomalous behavior. “Take people who hold the same position who have the same job rules and access,” he says. “Why does one employee log-on at 4 in the morning and log-off at 10 at night, while other employees log on at 8 in the morning and log off at 4 in the afternoon? Why would one person download 2,400 documents in a day while the others are downloading 20 or 30? There might be a valid reason for this, such as a special project, but these are indicators of possible malicious behavior.”

Meanwhile, many companies tend to ignore accidental data leaks, even though they can prove costly. Two-thirds of all insider threats are unintentional, says Quin. For example, sending an email to an entire list instead of one intended recipient, or hitting “reply all” instead of “reply,” could have severe consequences.

“Companies have to start contemplating solutions to correct this,” he says. “We haven't done a good job of educating employees about appropriate custodial care of data.”

Shumard agrees. “Sometimes it's just people not understanding proprietary information or a highly sensitive piece of information,” he says. He recommends that companies hold security awareness training for all employees. “Education is important because people have to understand the rules and abide by them.”

Be proactive, says Ellis. He follows Akamai employees on LinkedIn because if there is suddenly a flurry of new connections, it's likely that an individual is looking for a new job. Depending on the access that person has to sensitive information, he says the prudent approach is to take some preventative action.

However, Ellis also says organizations must weigh the cost of prevention tools versus the value of the potentially leaked information. And, he says sometimes a corporation is paying for technology that slows down the speed of innovation.

The sensible methodology, according to CERT, is to use a combination of technical and non-technical potential indicators of malicious activity to identify individuals who may be more likely to commit an unauthorized act. By monitoring and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.

Data leakage: Prevention

To thwart the inevitability of attacks from within, CERT recommends that companies log all downloads and set alerts when critical information is copied to removable media. Other recommended actions are:

■Implement continuous logging■Audit individual actions in logs for privileged accounts■Audit logs for activity of resigning or terminated employees■Log anytime a device or peripheral is attached; alert if an unidentified device is attached, i.e., a keystroke logger■Alert of suspicious traffic■Monitor for unauthorized accounts■Review user accounts on a regular basis to ensure that active accounts are valid and configured properly■Monitor privileged users■Don't give users more privileges than they need

What does the nation's first cyber security coordinator do for an encore on leaving government service?

First, one would believe that Howard Schmidt (right), a 40-year veteran of the discipline, will be penning another book, this one detailing the three years he spent serving in the Obama administration as the United States' top computer security adviser. He stepped down at the end of May.

One knows for a fact, however, that he has joined the board of security and compliance firm Qualys, where his main role will be advising on governance, strategic direction for the company and providing guidance to Philippe Courtot, the chairman and CEO. “It's all about being part of a team as opposed to an individual effort,” Schmidt said.

And, it's more than simply contacts in the government that Courtot expects. “Howard is technical enough, he knows the problems very well,” he said. “It's more about, ‘How do you present and package, where should we focus our energy so we can essentially play a bigger role with the federal government.' So, having Howard, it's very welcome and timely.”

The two also plan to revive an initiative they co-founded in 2004, the CSO Interchange, which brings security chiefs together from all sectors to discuss problems they are facing. “It's really an environment to bring CSOs together to make things move forward, as opposed to a meeting where people just want to sell something,” Schmidt said.

When they first began the international series of roundtables and breakfasts, there was a lot of resistance from the government sector in applying cloud technologies, as they wanted to control the data, Courtot recalled. “But today, we're at the point where necessity and the growth of attacks have become more pervasive,” he said. “They are now looking for solutions that work and that are cost effective as well, because you can't throw millions of dollars at the problem.”

Speaking of his time at the White House, Schmidt said, “Like any security position, it takes a lot of work. There's a lot of stuff that needs to be discussed. What works for one company, may have less than a positive impact on another one.”

His role, he said, was to bring everybody together to look for solutions. He points to the National Strategy for Trusted Identities in Cyberspace, or NSTIC, a White House initiative to foster collaboration between the government and private sector to better the privacy, security and convenience of online transactions, as one of the administration's major successes. The point, he said, was to look at ways to move away from an environment of user IDs and passwords and get something the private sector can build – an ecosystem where users can migrate to systems that are less likely to be compromised.

He also oversaw advancements in international cyber strategy. “Working with a great team across the government and with international partners, the International Strategy for Cyberspace [a policy document that sets an agenda for partnering with other nations] was looking at several things – from prosperity to economics to military action to peaceful activity,” he said.

It's very difficult to stop the threats, Schmidt said. “What you can do is stop the threats from being successful. And that's making sure everything that you're doing – in the cloud, on the desktop, browser, server environment – you can reduce the vulnerabilities so that no matter what someone throws at you, it's less likely to be successful.”

NSA chief asks hackers at Defcon for help securing cyberspaceNSA Director General Keith B. Alexander called the Defcon attendees the world&apos;s best cybersecurity communityBy Lucian ConstantinJuly 29, 2012 12:20 AM ET3 Comments. .IDG News Service - National Security Agency Director General Keith B. Alexander addressed the attendees of the Defcon hacker conference in Las Vegas on Friday and asked for their help to secure cyberspace.

"This is the world's best cybersecurity community," said Gen. Alexander, who also heads the U.S. Cyber Command. "In this room right here is the talent our nation needs to secure cyberspace."

Hackers can and must be part, together with the government and the private industry, of a collaborative approach to secure cyberspace, he said.

Hackers can help educate other people who don't understand cybersecurity as well as they do, the NSA chief said. "You know that we can protect networks and have civil liberties and privacy; and you can help us get there."

Gen. Alexander congratulated the organizers of Defcon Kids, an event dedicated to teaching kids how to be white-hat hackers, and described the initiative as superb. He called 11-year-old Defcon Kids co-founder CyFi to the stage and said that training young people like her in cybersecurity is what the U.S. needs.

The NSA director stressed the need for better information sharing between the private industry and the government and noted that the Congress is currently debating legislation to address this.

NSA's and U.S. Cyber Command's roles are to protect the nation from cyberattacks and foreign intelligence, Gen. Alexander said. The issue is that if you don't see a cyberattack you can't defend against it and at the moment, the NSA has no insight if Wall Street is going to be attacked, for example, he said.

Gen. Alexander pointed out that if the industry could share some limited pieces of information from their intrusion detection systems in real time, the NSA could take it from there.

The next step from information sharing is jointly developing standards that would help secure critical infrastructure and other sensitive networks, he said.

He encouraged hackers to get involved in the process. "We can sit on the sidelines and let others who don't understand this space tell us what they're going to do, or we can help by educating and informing them" of the best ways to go forward.

"That's the real reason why I came here. To solicit your support," he said. "You have the talent. You have the expertise."

At the Aspen Security Forum conference on Thursday, Gen. Alexander revealed that there's been a 17-fold increase in cyberattacks against U.S. infrastructure between 2009 and 2011, the New York Times reported.

The hacker community has built many of the tools that are needed to protect cyberspace and should continue to build even better ones, he said during his keynote at Defcon. He gave the example of Metasploit and other penetration testing tools.

"Sometimes you guys get a bad rap," he said. "From my perspective, what you're doing to figure out vulnerabilities in our systems is great. We have to discover and fix those. You guys hold the line," he said.

Gen. Alexander's presence at Defcon was a rare event. Before introducing him to the stage, Defcon founder Jeff Moss, who is the chief security officer of ICANN and a member of the U.S. Homeland Security Advisory Council, revealed that he has tried for the past 20 years to get a high-ranking NSA official to speak at the conference.

"Like magic, on our 20th anniversary and NSA's 60th anniversary it's all come together," Moss said. "For me it's really eye-opening to see the world from their [NSA's] view."

Taking the Cyberattack Threat Seriously In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home..

Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.

Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.

Fortunately, last month's scenario was just a simulation—an exercise to test how well federal, state and local governments and the private sector can work together in a crisis. But it was a sobering reminder that the cyber threat to our nation is one of the most serious economic and national security challenges we face.

Enlarge Image

CloseAssociated Press .So far, no one has managed to seriously damage or disrupt our critical infrastructure networks. But foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day. Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility's internal controls. More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines. Computer systems in critical sectors of our economy—including the nuclear and chemical industries—are being increasingly targeted.

It doesn't take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.

This is the future we have to avoid. That's why my administration has made cybersecurity a priority, including proposing legislation to strengthen our nation's digital defenses. It's why Congress must pass comprehensive cybersecurity legislation.

We all know what needs to happen. We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared. We need to make it easier for these companies—with reasonable liability protection—to share data and information with government when they're attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks.

Yet simply sharing more information is not enough. Ultimately, this is about security gaps that have to be filled. To their credit, many of these companies have boosted their cyber defenses. But many others have not, with some lacking even the most basic protection: a good password. That puts public safety and our national security at risk.

The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements. Nuclear power plants must have fences and defenses to thwart a terrorist attack. Water treatment plants must test their water regularly for contaminants. Airplanes must have secure cockpit doors. We all understand the need for these kinds of physical security measures. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries.

This approach stays true to our values as a society that cherishes free enterprise and the rights of the individual. Cybersecurity standards would be developed in partnership between government and industry. For the majority of critical infrastructure companies already meeting these standards, nothing more would be expected. Companies needing to upgrade their security would have the flexibility to decide how best to do so using the wide range of innovative products and services available in the marketplace. Moreover, our approach protects the privacy and civil liberties of the American people. Indeed, I will veto any bill that lacks strong privacy and civil-liberties protections.

This is exactly the kind of responsible, collaborative approach to an urgent national-security challenge that Americans expect but that Washington too rarely provides. It reflects the insights and ideas of industry and civil libertarians. It is sponsored by a bipartisan group of senators. It is supported by current and former homeland security, intelligence and defense leaders from both Republican and Democratic administrations.

Today we can see the cyber threat to the networks upon which so much of our modern American lives depend. We have the opportunity—and the responsibility—to take action now and stay a step ahead of our adversaries. For the sake of our national and economic security, I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law.

It's time to strengthen our defenses against this growing danger.

Mr. Obama is president of the United States.

A version of this article appeared July 20, 2012, on page A11 in the U.S. edition of The Wall Street Journal, with the headline: Taking the Cyberattack Threat Seriously.

Forgive me the moment of Captain Obvious but "It is difficult to know who is attacking a network. Once the identity of the attackers is verified, and if they are indeed a nation-state, then the (attacked state) must decide if retaliation is necessary."

So, thanks to Pravda on the Hudson working in conjunction with CiC Obama and his inner circle, the Iranians now have confirmation stuxnet was us AND they have been publicly humiliated

There could be a day when the United States decides to retaliate in cyberspace for a computer-based attack on its networks or infrastructure.

Normally, two nations at war would garner 24-hour news coverage, boldface headlines and Pentagon briefings. But this would be a conflict waged with “ones” and “zeros” across computer networks. The damage may be unseen, and even “fixed” within a few short hours. The public may not even realize that it’s occurring.

It’s fashionable to use the same lexicons and to make comparisons, but cyberwar is nothing like real “kinetic” war, said Martin C. Libicki, a researcher and author of a new Rand Corp. book, Cyberdeterrence and Cyberwar, which takes an in-depth look at what would have to occur for two state actors to engage in such a conflict. (Correction: The book was initially published in 2009).

“Cyberwar is not simply kinetic war in another dimension. It’s got a different set of rules, a different set of parameters, a different set of questions, a different set of answers,” he said at a Capitol Hill briefing Feb. 22.

That’s one reason why a cyberwar could play out unseen by most people. The shutting down of electrical grids would be noticed, but the manipulation of data on other systems may not immediately come to light. It took one full year for Iranian scientists to realize that the software had been compromised by the Stuxnet virus, Libicki noted.

There have only been four known acts of cyberwar, Libicki said. The denial of service attacks on Estonia in 2007 and on Georgia during its war with Russia in 2008, an Israeli attack on Syrian air defense radars in 2007, and the Stuxnet virus that was aimed at damaging Iranian centrifuges associated with its nuclear energy program.

Cyberattacks cannot be confused with cyberespionage, he noted. Nations do not go to war over spying, he said. The book examines large-scale, tit-for-tat cyber-assaults between two nations. It does not ponder the implications of an attack by terrorists because there are few opportunities for retaliation. If al-Qaida were to shut down a U.S. electrical grid, the United States could not respond in kind because the group has no infrastructure, he said.

Libicki also does not address tactical actions, or what he calls an “operational cyberwar” during a real-world conflict where an adversary may try to take down networked-enabled systems to gain an advantage on the battlefield. “In the context of a physical war, that makes a certain amount of sense,” he said.

Attribution is one of the keys to retaliating against a cyberattack, he noted. It is also one of the hardest aspects. It is difficult to know who is attacking a network. Once the identity of the attackers is verified, and if they are indeed a nation-state, then the United States must decide if retaliation is necessary.

In the event of a cyberwar, there is unlikely to be long-term damage. An attack or counter-attack can only occur if there is a vulnerability in a computer system. Vulnerabilities can be patched up quickly, or traffic can be rerouted away from the system — in most cases within hours and days. In regular warfare, the ability to hit the same target several times, known as “serial reapplication,” is a part of warfare and can be a deterrent. But once a counter-attack occurs, it tips the adversary off and subsequent attacks may not be as effective, he said.

Battle damage assessment is hard to determine. The decision to launch a counter-attack may hinge on knowing how much harm to the opponent’s system could be inflicted. That is difficult to assess, he added.

“Are the effects obvious to the public?” is a question that needs to be asked. “If the effects are not obvious to the public, you don’t lose public face by not retaliating,” he said. However, the United States could launch a counter-attack in ways that are not obvious to the opponent’s public. There needs to be a message conveyed to the leadership “about the lack of wisdom in attacking the United States in cyberspace.”

Another reason why the public may not be informed of a cyberwar is the risk that a third party could insert itself into the conflict. If the United States and China were engaged in such a war, for example, a hacker — someone sitting on a couch in a basement somewhere — or a third nation interested in seeing a prolonged conflict, could surreptitiously launch computer assaults and escalate the war.

“An exchange of cyber-attacks between states may also excite the general interest of superpatriot hackers or those who like to dogpile — particularly if the victim of the attack or the victim of retaliation, or both, are unpopular in certain circles,” Libicki wrote in the book, which was commissioned by the Air Force. The two adversaries may blame each other for the attacks, and not be aware that they are being manipulated.

A cyberwar that flies under the radar of the general public is possible, but unlikely, simply because these incidents tend to bubble to the surface despite the best efforts of the government, he said.

“There is a tendency in some communities to believe that every thing they do is covert, and no one is ever going to hear about it, and then mistakes get made,” he said.

Deterrence worked well in the nuclear age. The Soviet Union and the United States never engaged in a nuclear conflict. “The best defense is a good offense,” is one of the axioms U.S. leadership has said about thwarting a large-scale cyber-attack.So how good is the United States? It’s cyber-offense capabilities have been largely kept out of the public eye. Libicki didn’t want to reveal much in a nonclassified setting, saying only that, “We’re really good. ... In fact, I think we’re better than anybody else. We’re also very professional about this. The state of our tradecraft is very good.”

A cyberwar is not something that keeps Libicki up at night. Like nuclear war, it is a low probability, high-consequence scenario. The number of potential adversaries that have the ability to carry out such an attack, as well as the desire to pull the trigger and risk the ire of the United States, are few, he noted.

“This is one of these cases where you have to look at defense and offense and somehow come up with a happy medium,” he said. Shoring up defenses in the nation’s electrical grids would be a good place to start, he noted. But to not have a good offense would result in “ a hollow deterrence policy,” he noted.

Anonymous, a loosely organized group of hackers that has targeted big businesses and governments, could be co-opted by nation states and terrorist groups that want to use it for their own ends, cybersecurity experts said May 17.

Anonymous reportedly has some 50,000 members. It is generally believed to not have a central leadership. That leaves it open for infiltration by hackers affiliated with nations such as China, Russia or Iran. They could surreptitiously use or manipulate the organization to carry out attacks on their behalf, said Lewis Shepherd, director of the Microsoft Institute for Advanced Technology in Governments.

"There is evidence of this, but it is classified," Shepherd said at the Counter Terror Expo in Washington, D.C. Al-Qaida in its literature has also expressed interest in using the group, he added.

Anonymous has been called everything from hacktavists, to terrorists, and has attacked governments of all types. The group is also well known for going after child pornographers. On Tuesday, it was reported in the Indian press, that Anonymous was suspected of taking down the nation's Supreme Court website after the Indian government announced some new Internet policies. About three dozen of its members have been arrested.

There is precedence for such groups being infiltrated, Shepherd said. The Soviet Union and China in the 1950s and 1960s were adept at infiltrating and sometimes taking over home grown national liberation movements in developing nations and using them in their global rivalry against the West.

"They didn't always have complete control of the operations of these national liberation movements, but strategically they were certainly able to exploit their activities," he said.

The degree of state sponsored influence or guidance in Anonymous' ranks is unknown, and hasn't received a lot of attention yet, he added. Companies who find themselves the target of Anonymous should take responsibility for protecting their own data, he said. But stopping a nation state from an attack is something different. In that case, there has to be a close partnership between industry and government.

David J. Smith, director of the Potomac Institute Cyber Center, said Anonymous' greatest strength is also its greatest weakness: it is leaderless, it is amorphous and nobody knows who they are.

"If somebody decides they are going to be Anonymous, they are anonymous. So you could get Russians, Chinese, Iranians. You could start getting a nation-state threat, or ... an Al-Qaida getting into the business of masquerading, literally, as Anonymous," Smith said. "I think that is something we really need to take a look at.

TOP OF THE NEWS --US Senators Draft Proposed a Cybersecurity Bill Compromise(June 7, 2012)US Senators Sheldon Whitehouse (D-Rhode Island) and John Kyl (R-Arizona)are circulating a draft proposal for a cybersecurity bill that aims atsatisfying legislators on both sides of the aisle. Democrats supportlegislation that would impose mandatory cybersecurity standards onsystems that are part of the country's critical infrastructure, whileRepublicans support legislation that encourages threat informationsharing but does not compel the utility companies to comply withrequirements. The draft legislation treads a middle ground, offeringincentives for companies that meet established "baseline performancegoals" of cybersecurity. The incentives would include liabilityprotections, edges in acquiring government funding, and they wouldreceive technical cybersecurity assistance.http://thehill.com/blogs/hillicon-valley/technology/231601-senators-float-compromise-on-cybersecurity-mandates-

If this is the case we might begin looking for evidence of more code from Operation Olympic Games floating around in cyberspace. Flame provides a framework for future warfare in cyberspace, as proposed by eScan Blog here.(Link ref: http://blog.escanav.com/2012/05/31/flame/ )

It does not appear that Flame is used to feed information to Stuxnet, so for what is the information obtained by Flame used?

Ah, that is the $64,000 dollar question. There appears to be other programs floating around therefore, using the information obtained by Flame. We know the information obtained by Flame comes from systems connected with the internet, so offline facilities, such as Natanz, should not provide any information.

I can speak only for the US, where the vast majority of military equipment is not connected to the internet, they are on separate networks. I am assuming Iranian systems are the same. This leaves critical infrastructure, such as electrical facilities, power sources, transportation and such, which can all have military applications.

As I am careful to state, time and again, the targets must be used solely by the military to comply with the Laws of Armed Conflict. From experience we have seen that Iran might not apply their targeting criteria so studiously, especially when they have proclaimed their nuclear program is entirely for civilian use.

When targeting electrical systems that supply power to the military, it is difficult to avoid civilian bleedover. It will be interesting to observe what the Iranians will target.

Last week the Wall Street Journal reported that the FBI opened an investigation into the source of recently leaked information regarding covert operations conducted by the U.S. government.

Now Attorney General Eric Holder has appointed two federal prosecutors to lead the investigation into leaks concerning the government's use of a sophisticated cyber weapon known as Stuxnet and a foiled attack by al Qaeda in the Arabian Peninsula.

“These two highly-respected and experienced prosecutors will be directing separate investigations currently being conducted by the FBI. I have every confidence in their abilities to doggedly follow the facts and the evidence in the pursuit of justice, wherever it leads,” Holder said.

Previously, FBI Director Robert Mueller had announced an investigation into the leaking of information surrounding the disruption of the a planned attack using a bomb concealed in under garments.

With the appointment of special investigators by Holder, the probe has widened to include the disclosure of the development of the Stuxnet virus, which infected systems that provided operations control for Iranian production networks, and was most likely produced to stifle Iran's nuclear weapons program.

“Leaks such as this threaten ongoing operations, puts at risk the lives of sources, makes it much more difficult to recruit sources, and damages our relationships with our foreign partners.” Mueller said last month.

Stuxnet, which emerged in 2010, targeted Siemens Programmable Logic Controllers (PLCs) and is thought to have caused severe damage to equipment at Iranian uranium enrichment facilities, setting back the nation's weapons program by as much as several years.

Stuxnet is largely considered to be a game changer in the world of information security, as the infection did not merely cause problems with the tainted systems, but actually affected kinetic damage on the equipment those systems controlled.

The leaked information about the development of the Stuxnet virus was revealed in an article by New York Times' writer David Sanger, which prompted Holder's move to appoint special investigators.

“Leaks such as this have … a huge impact on our ability to do our business, not just on a particular source and the threat to the particular source, but your ability to recruit sources is severely hampered,” Mueller said.

“In cases such as this, the relationship with your counterparts overseas are damaged and which means that an inhibition in the willingness of others to share information with us where they don’t think that information will remain secure. So it also has some long-term effects, which is why it is so important to make certain that the persons who are responsible for the leak are brought to justice," Mueller maintains.

Senator John McCain of Arizona suggested that the leaks may have been intentional on the part of the White House in "an attempt to further the president's political ambitions for the sake of his re-election at the expense of our national security."

White House spokesman Josh Earnest rebutted the speculation, stating "It's classified for a reason, because publicizing that information would pose a significant threat to national security."

President Obama also denied there was an intentional leak emanating from the White House, stating that “the notion that my White House would purposefully release classified national security information is offensive. It’s wrong."

The investigation could result in multiple subpoenas, including those directed at White House officials and Time reporter Sanger.

“[The reporters] are going to fight you tooth and nail but, eventually … you can actually subpoena them - but there are strict guidelines," said former federal prosecutor Peter Zeidenberg.

The people behind the Flame malware network appear to have responded torecent publicity by sending out a command that has caused it toself-destruct. Some of the command-and-control servers in Flame'sinfrastructure sent out a file that is essentially a Flameuninstaller, which also overwrites the disk with random characters tohelp disguise its footprint.

With the new spate of malware attacks (alleged by nation state actors) as well as other attacks by the likes of Anonymous on down to the usual cast of criminal characters, I have been taking stock of the “bigger picture” What I have come to the conclusion of, is that we, out of all things, the creators of the internet, the computers, the code, and the universe in general (probabilistic, newtonian, quantum, etc if you believe we in fact create our consensual reality) are the one common flaw in security.

Take that statement in a bit… I’ll be back in a moment while you ponder….

Ok, thought that through a bit? For me, the statement us an ultimate truth. We create all these things (for me universe included by perception) and in the case of the security over or within the systems that we make and use, are it’s core failing. We, for a lack of a better term, are “flawed” and thus, our systems will always be so. In the case of security today, we can see this from many angles, not just within the realm of computer security or data security, but also our efforts in war or protection from terror (ala DHS and the TSA) There are inherent flaws and unpredictable outcomes vis a vis human nature that really have to be taken account of before we can really even consider something to be more secure than not.

This is an issue that I think many are overlooking as they seek to make the better mousetrap cum Rube Goldberg device that will then sit blinking in your rack at the NOC. Boiling it all down to the sum total of security issues, we have the human being and their “nature” to consider as the driver of the ill as well as the arbiter of demise in any security scenario we can think up here. This is why I have decided to write this post, I want you all to stop, take a look around you, and see the problem from the macroverse instead of the microverse of code and hardware.

It’s all in the wetware man.

Human Nature, It’s Anathema To Security

Human nature… What a many splendored thing huh? It gives us so much latitude as a species to be dominant on this planet and yet, we still seem to be unable to overcome it and protect ourselves from it’s down side. Of course it isn’t just that our natures precludes us from attempting to secure things today, it’s also that we are using technologies that we built, us, fallible beings who tend to code in error and without foresight into how it could be abused. On that note, the abuse of the code itself is also human nature, we are always pushing the bounds trying to outdo others or just test the bounds of our realities so, it’s a natural progression really. Of course then there is also criminality, and the darker tendencies that we all have… We are just a pile of trouble aren’t we?

On the other hand, there is also the tendency for laziness today that we all have, whether that be intellectual or other slothly behaviors that can be and often times, are the cause for security failures. It is laziness in coding and a desire to work faster and maximize profits for example, that lead many people down the path of sloppy code and massive vulnerabilities therein. Couple this with the need for speed that today’s work environment (time is money calculations aside) demands, and we have the mix for epic failure much of the time. Oh, and lest we forget hubris, like that of Microsoft. coming so late to the security game in their coding and testing of operating systems, that, in effect are the most frequently vulnerable as well as the biggest target from user base perspectives.

Oh, and there are also the basics of human nature such as being helpful, or other more base desires that often are the unraveling of security measures. You can have all the defenses in the world, but all it takes is one person saying “Gee! Look! A USB stick in the parking lot! ITS ALL MINE!!! I MUST PLUG IT IN NOW!” How often have you pentesters out there reading this now have used that very exploit? Over and Over and Over again and had success each time. How many of us have had the door held for us even when we don’t have a badge? Yeah, I know, many have and though have been warned on the perils of doing so, still do it out of instinct or perhaps social programming.

It’s human nature that is the undoing of the best laid plans of mice and men…

What I am getting at is a simple truth, we are the problem. If we aren’t creating the poorly coded software, then we are the ones opening the gates to the Hun hoard, or worse, we are in fact that Hun hoard and are exploiting those weaknesses for our own gains (whether it be nation state, pentester as a job, or criminal to make a buck) it’s all driven by our nature.

HUMINT and The Push Of Social Media

So enters the era of “Social Media” and wow, we are a social animal aren’t we? We have Facebook, where we seemingly just expose all of our foibles, secrets, and other trivia daily, no, wait, by the second, every day. Who knew we would be so in need of telling everyone (not to mention showing everyone screen shots of our meals) about every little thing we do? Our location at that time, or perhaps that little Timmy took his first solid dump. *shudder* It’s little wonder that you see how much the government is interested in our “social” data huh? We are so willing to just give it up without a thought to it.

It’s our nature I guess… Tribes around a digital fire now…

Back to social media and HUMINT though, you see, this is the next wave. Since everyone wants to communicate on the Internet, then its easier to communicate with everyone and everyone in a way that, as we have seen, allows for a lot of data gathering, and manipulation. See, now we have the infrastructure populated, we will now use it, subvert it, for goals other than just befriending someone. Hell, we now have bots that do it for us right? How do you know that that person you are talking to on Twitter is a person or a heuristically adept bot? Give it some pause…

Think about the potentials here for every kind of abuse or manipulation. Anything from online advertising using Turing bots to intelligence agencies and others gathering data on you all for whatever purpose serves their needs, and you, you are the commodity.. The “asset” So, yes, as the technologies advance and the human nature side of things continues to allow for strides in security as well as the inevitable setbacks, you, will become the ultimate target of the easy score for data that could lead to compromise. After all, what do you think the real persistent threats rely on? Human nature, our nature and proclivities for social interaction, which, really, is what the Internet is all about huh?

Now, as you go to post on Facebook about your last meal.. Ponder this…

So, How Do We Remediate All of This?

Is remediation possible? Can we change the vagaries of human nature to the point where we can actually not only secure systems adeptly, but also secure the end users to disallow the lowest of the low hanging fruit? Can we get coding initiatives that work and for God’s sake, come up with non Turing complete machines and code? One wonders if it ever really a possibility, and frankly, the sense I get of things lately in the security community is no. We will never win the battle, the war will rage on forever and at least we will have jobs, but, we must get used to failure in the grander scheme of things.

Once again, human nature is the arbiter here and, well, we are human aren’t we? I guess the answer is no, we will never be able to remediate it all. As we move forward with an uncertain digital world, one where we have put all our eggs in one digital basket (yes, power, light, water, control) we all must look at the nature of it all and ponder what have we done to ourselves here? Has our nature and a propensity for laxity in thought and deed placed us in greater jeopardy? Will we ever learn from the things we have seen already and try to remedy the situations? Or will we just go on blithely until such time as there is an epic failure that causes us pain?

This is not to say it will happen, nor that I believe it will be as epic as some on capitol hill would have you think, nor those in the shadows selling them the digital snake oil in the first place. What I see though is that unless we get smarter and try to manage our natures here, some will end up exploiting them to our collective detriment. Whether it be the laws around our privacy, or lack thereof, or the connecting of systems upon systems that, should one fail in a cascade, we really could have an problem, we all have to take a step back and look in the mirror.

Scene: POTUS stands silhouetted in the doorway of the SITROOM looking intently at a small tablet screen. Around him his cyber generals sit shifting uncomfortably from time to time in the long pregnant pause.

POTUS: “Clarke, so, you say this is the only way that we can get into and destroy their capability?”

Clarke: “Yes,” he says lugubriously

POTUS: “Well then, let’s send them the stick... Someone will be stupid enough to plug it in.”

Scene: The generals all rise and leave single file out the door falling into the darkness of the hallway in the bowels of the White House. POTUS looks up at Clarke who is fixing his one black leather glove.

POTUS: “You know, if this goes wrong we’ll just blame it on Israel right?”

Clarke: “That contingency has already been taken care of, I have primed the veep… He’ll fbomb that stuff like a Torrettes patient off his meds.”

POTUS: “God love that crazy mick”

Cut scene: Screen goes dark

Stuxies Midnight Emissions

Well, it’s been a crazy week or so in the news cycle. With the revelations that POTUS personally had a hand in the destruction of Iranian nuclear centrifuges with malware, the floodgates of stupid have opened up and we have a wave as high as the biblical one that wiped the earth clean of people (if you believe that kind of crap).

Since this came to light in the NY Times, we have had all sorts of characters pontificating on the subject. Everyone has their opinion and unfortunately, all of them mean nothing to anyone of note because the real decisions of state have already been made haven’t they?

Onward we will sally forth though, with vigorous words on how we are the pre-eminent power on earth and how we are blessed by God him/her/itself and looking back be damned. We had the coders and we had the will so we did it.

Now, don’t get me wrong, I agree with the end result of the Stuxnet malware itself. I think though we could have been more subtle and manipulated their product instead of just causing the centrifuges to eat themselves, but, that is another story. No, we did what I think was a nice little piece of work against a regime that is unstable enough to do more with nuclear weapons than just stockpile them.

Frankly, one way or another, Iran will eventually get the nuclear bomb, but, we seem to have slowed them down a bit at the very least with this attack. Or, I should say, did slow them down, for a little while. Now though, after this report in the Times and the non attributable crowing of the administration that was behind it attributing themselves as the culprits, I think that Iran will just redouble their efforts on this issue as well as the development of Stuxnet II “This Time It’s Personal” as the movie poster will declare.

Nope, for me the issue I have with all of this is that the admin is using this as a cudgel to win an election. This and this alone is the bone of contention I have with POTUS and company. A POTUS that ostensibly is SOOOOOO upset over leakers and prosecutes them to the fullest of the law...That is, until it serves their personal or political needs that is.

I find it comical now that there are calls in the senate to investigate the “leaks and leakers” within the White House who talked to Sanger about their digital daring do. All you really need to do Mr. senator is walk up to 1600 Pennsylvania Ave and knock on the oval office door. You can find the leaker there I can assure you.

Hubris, thy name is “Politician”.

Politics, Pedantry, and Hucksterism

So, there you have it, we created Stuxnet with much secrecy, so much secrecy that it got leaked to the New York Times! Well, not so much leaked as much as planted in the Times by the spinmeisters as a political pogramme on us all to sway our vote.

The Times story is rife with allegory on how the admin was taking care with this operation and that they wanted as little collateral damage as possible. The program was tested on an analogous testbed with equipment that we got from Libya, the results of which were the destroyed remains of the centrifuges, all was in preparation. All we need then do was get an asset on the ground to plug in a USB stick and viola! Instant PWNAGE!

I’m sure there will be a full length feature film soon and it will be fueled by the leaks that this Times article and subsequent book were as well. Do you suppose they will be filming at Ft. Meade? Will Mike Hayden make a guest appearance? We all want to know! Suffice to say, that the media, the pundits and the other nations of the world will be taking note and working out their responses to all of the revelations from POTUS and company. For me though, my response is already quite clear…

“We’re fraked”

This whole escapade was ruined by the need of the admin to tattle on itself. I personally highly doubt that this was leaked by one person and all by themselves outing a whole clandestine operation. No, this was a political move, one that will I think, have some blowback on us all. Some will make the argument that the US wanted the Iranians to know, so we could be the “Babe Ruth” pointing at the backfield as if to say “That’s right muthafrakers… We are the shit and we will frak you up.”

I do not ascribe to that being the case as a tactic, hell, Biden then throws the Israeli’s under the bus twice in that article! It was the equivalent of verbal chaff and anyone with half a brain can see that.

“Well we did this because we wanted to settle the Israeli’s down, or they would have gone in hot.”

Uhh yeah, nice way to say we did it “only because we had to.”

Say, didn’t I see an ad by you offering a sweet price on a bridge somewhere?

Tell the truth, you wanted this out on that particular Friday because the jobs numbers were EPIC SUCK ok? Just please, admit it! C’mon, somewhere in your addled minds you know you want to tell the truth sometime!

FLAME ON YOU CRAZY DIAMOND!

Meanwhile, the FLAME debacle came into focus. An uber malware designed in the future by mad scientists and SKYNET with a 18 meg LUA decoder! This little gem has been perfectly timed to coincide with the STUXNET. Well, maybe, since it was Eugene Kaspersky ringing the bell on this one, perhaps not.

However, the FLAME seems to be all about stealing every conceivable piece of data it can get its hands on. It was a welll run operation that has been going on since at least 2010 and bears the hallmarks of an intelligence agency running it. The use of cutout accounts with multiple names and locations as well as payment schemes shows that it wasn’t just Joe botnet herder. No, this one also was nation state most likely, but who’s?

More importantly, how many of you out there would like to take odds on just when POTUS will leak the details of how we did this one to the Times? Takers? Anyone? C’mon I can bet bitcoins! Aww shucks… Guess you are all too smart and know that soon enough we will be reading about this “super secret black operation” in the papers. Even today more facts have come out of the reverse engineers saying that FLAME has a novel MD5 attack that has been known about since 2008 was it?

“Oooh sekret”

Be assured, that the FLAME will burn on as will the stupid around it from all sides.. Media.. Pundits… Politicians... Malware vendors… I don’t care if FLAME is LAME, I only care that this escalation is getting out of proportion and those running the programs are leaking the details to effect their political efforts.

Let’s CYBER Like It’s 1999

Now on to the word “CYBER” and its unfortunate tagging with “WAR” right after it. I have railed against this word for some time now but even with the best of my efforts, the douchery abounds. In fact, the douchery seems to know NO bounds frankly. I remember a time when CYBER was only followed by SEX and really wish it would just go back to being that.

Instead, we now have doctrine being written for “Cyberspace” and plans being made to militarize it all. All the while though not many really understand the space or the technology that they want to “CYBER” in! I can smell the fail now and it smells of cheap political and capitalist cologne.

Aside from the nomenclature issues here, I feel like others I have seen, that this has all been one giant mistake. We have opened “Pandora’s Box” as Mikko put it, and we are not ready for the consequences. I am damn sure that our infrastructure isn’t never mind the people and companies that run and own it all.

Try getting all of these players to secure their shit even on a microcosmic scale and you will see my pain. We in the business have known all too well that too many times within the mental calculus that management makes, security is a lesser understood or cared about concern over the bottom line in the world of black ink in the books.

So, my prognosis for this patient is “you’re fraked” but, with the caveat that we have been for a long long time. Will all the antics with the declaration of “CYBERWAR” by the Obama administration really make a difference in the tempo of battle already ongoing? Will nation states and others speed up their efforts to bring down parts of our grid? To what end? What are we producing that is equivalent to a small vector like Natanz and nuclear fuel? I guess what I am asking is, just what are the odds of the first great CYBERWAR being brought to our digital shores? Can I expect to turn on the light switch soon to find that there is no power?

Or even worse… Will they STUXNET Apple’s facilities so the kiddies can’t get their new shiny MacBooks?

OH THE HUMANITY!

I guess this is all being mapped out, kinda like the PROJECT X that plans on mapping the whole of the internet... So they can attack it. Time will tell I suppose, but, in the meantime, your fool forecast is for a high probability of foolishness at levels never before seen. So wear your rubbers kids.

We’re Doomed

But seriously, I think that we are doomed. Not the kind of doom where the world will end in a zombie apocalypse though. Hell, I would love to have that instead of what we are going to get. Instead we will have more stupidity, more controls being placed on the internet, and a slew of half baked ideas that will only serve to make us all more constrained in our daily affairs online.

Oh, and we will also live every day more in fear that some nation state, corporation, or crazy group of terrorists, will attempt to destroy something in our infrastructure… Because they can and feel the need to.

Welcome to the CYBERWARS! Please keep all hands and feet inside the ride at all times.

(June 5 & 6, 2012)Saying that she is "deeply disturbed by the continuing leaks ofclassified information to the media, most recently regarding allegedcyber efforts targeting Iran's nuclear program," US Senator DianneFeinstein (D-California) is calling for legislative hearings about theleaks regarding the US's involvement with the Stuxnet worm. SenatorFeinstein is not asking for the hearings to address the actual attacks.Senator Carl Levin (D-Michigan), who chairs the Senate Armed ServicesCommittee, has agreed to hold a hearing on the matter. The FBI hasreportedly launched an investigation into the leaks. There is concernthat the revelation will encourage copycat attacks against the US.

The Information Assurance Directorate (IAD) at NSA recently released a new technical guide entitled, Best Practices for Securing a Home Network. This is one of many guidance documents IAD freely provides to customers outlining practical tips for improving the security of all kinds of applications, operating systems, routers, databases and more. IAD has been providing unclassified security guidance to customers for over ten years. This guidance could not be timelier in light of the increasing threats to U.S. government networks. This latest guide will go a long way in helping our customers protect both their public and private networks. Click here to view the Guide.

(If you follow the link there are some interesting links in the "related stories" sidebar along with a quiz about Cyber Security.)

Obama ordered Stuxnet cyberattack, reports say. Did it leave US vulnerable?A New York Times report claims that President Obama used the Stuxnet cyberweapon to set back Iran's nuclear program. But experts caution that the worm could be reverse-engineered.

Stuxnet, the world's first publicly identified cyber superweapon, was unleashed against Iran's nuclear fuel-enrichment facility as part of a joint US-Israel cybersabotage operation, according to press reports Friday citing anonymous administration officials.

The news reports, which seem to remove any fig leaf of plausible deniability, could in the near term undermine ongoing nuclear talks with Iran. It could even provide Iran with internal justification for a cyber counterstrike against the US.

In the longer run, however, it also raises questions about how a US national policy of using powerful digital weapons could impact American security. Of particular concern is the possibility that such attacks could provide a digital copy of the cyberweapon to rogue nations or that hacktivists could reverse-engineer the weapon for use against the power grid or other key US infrastructure.

"Certainly we have thought Stuxnet was very likely to be a US-Israel operation – and that assumption has now turned out to be the case," says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. "In some ways, I do feel as though we've been living in a glass house for years and now we've decided we're going to invent rocks."

In the New York Times account, the cyberweapon was developed under a program initiated by President George W. Bush. President Obama then gave the go-ahead for a cyberweapon dubbed "the bug" to be unleashed in an attempt to derail Iran's bid to make nuclear-weapons fuel. The thrust of the account was separately confirmed by administration officials in a Washington Post report Friday.

But in summer 2010, after it became clear to the White House that "the bug" had inadvertently escaped the isolated network of Iran's Natanz uranium-enrichment plant and spread to computers worldwide, top administration officials held a "tense meeting" in the White House Situation Room, the Times said.

“Should we shut this thing down?” Obama asked, according to sources. It was unclear how much the Iranians knew about the code, and there was evidence that it was still vexing the Iranians, he was told. "Mr. Obama decided that the cyberattacks should proceed," the Times reported

By late summer 2010, cybersecurity companies and the trade press were actively analyzing and debating the purpose of the strange piece of malicious software, dubbed "Stuxnet" after a file name inside the software. On Sept. 21, 2010, Ralph Langner, a German industrial-control systems cybersecurity expert from Hamburg, publicly identified Stuxnet as the world's first cyberweapon and named its likely target as Iran's nuclear facilities, as first reported and confirmed with other systems experts by the Monitor. Not long after, he postulated that the US and likely Israel, too, were behind the attacks.

Although Stuxnet is estimated to have eventually destroyed as many as 1,000 high-speed Iranian gas centrifuges designed to enrich uranium, its importance was far larger than that, Mr. Langner warned. It demonstrated that a cyberweapon could physically destroy critical infrastructure, and that process could also work in reverse.

"One important difference between a cyber offensive weapon and some kind of advanced bomb, for example, is that when the bomb blows up you can't examine or reverse-engineer it," says Joel Brenner, a former national counterintelligence executive in the Office of the Director of National Intelligence.

"Once you find the malware, on the other hand, once you find the code, you can see how it was done," he says. "So we are going to see more operations of this kind – and the US's critical infrastructure is undoubtedly going to be targeted. I still don't think that the owners and operators of most of that infrastructure understand the gravity of this threat."

According to the Times, participants in the many Situation Room meetings say Obama "was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons – even under the most careful and limited circumstances – could enable other countries, terrorists or hackers to justify their own attacks."

In the end, Obama concluded the US had little choice, the presidential aides told the Times. The alternative could be a nuclear Iran. But the attacks could also provoke Iran to retaliate.

"There are real risks here," Mr. Baker says. "The most immediate and obvious one is that the Iranians will feel even more motivated to respond in kind. This is not a particularly restrained Iranian administration. It's used terrorists and terrorist proxies for years. It may feel that [Stuxnet] gives them one free shot at the American industrial-control system of their choice. And the consequences might not be 10 years down the road either. It might be next week."

Another key takeaway is that cyberwar is unlikely to remain anonymous.

"The world we're moving into is one where attribution for such attacks will not be a problem," says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. "A nation might not be able to block an attack immediately, but you will be able to find out who's responsible."

RECOMMENDED: From the man who discovered Stuxnet, dire warnings one year later

Related stories

How much do you know about cybersecurity? Take our quiz.Beyond Stuxnet: massively complex Flame malware ups ante for cyberwarStuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?Cybersecurity: How US utilities passed up chance to protect their networks Previous

Exactly six weeks from today, Anonymous will pull off its greatest and most destructive stunt of all time: Taking down the 13 servers that act as the core address book for everything from the Web to email, essentially blacking out the Internet in a protest of copyright law and Wall Street greed.

Or far more likely, six weeks and one day from today, the hackers will announce via a very-much-still-working Internet that it was all a highly provocative April Fool’s joke, another example of the dare-you-to-react trolling that Anonymous has refined to an art form.

Earlier this week, the loose movement of hackers announced in an online statement a new collective action it’s calling “Operation Global Blackout.” On March 31, it says it plans to attack the thirteen root Domain Name Service (DNS) servers that act as the Internet’s authority on how domain names (like Google.com) are translated to the IP addresses (like 74.125.157.99) of the computers that host those sites and mail servers. If Anonymous can successfully take those root servers down for long enough, DNS could cease to function, and the Web would become at least temporarily inaccessible for most users.

“To protest [the Stop Online Piracy Act], Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down,” reads the statement. “Remember, this is a protest, we are not trying to ‘kill’ the Internet, we are only temporarily shutting it down where it hurts the most…It may only lasts one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known.”

But the security industry’s DNS gurus say it’s not time to start downloading your backup archive of Icanhazcheezburger just yet. Rob Graham, a researcher for the security consultancy Errata Security, lists in a blog post a slew of reasons why Anonymous’ DNS attack plan won’t work. Anonymous plans to use a technique it’s calling Reflective DNS Amplification to flood the root servers with spoofed requests from the lower-level DNS servers that look to the root servers for updates. But the thirteen DNS root servers, which are hosted variously by the Pentagon, Verisign, ICANN, Maryland University, NASA and others, each use different policies and hardware, and would each respond to that technique differently, Graham says.

“A technique that might take out one of them likely won’t affect the other twelve. To have a serious shot at taking out all 13, a hacker would have to test out attacks on each one,” he writes. “But, the owners of the systems would notice the effectiveness of the attacks, and start mitigating them before the coordinate attack against all 13 could be launched.”

Moreover, there are actually many more than 13 physical servers acting as the DNS root system. A load-balancing system called Anycast means that as many as thousands of computers share the load of those servers. Taking them all out will be extremely difficult, says Graham. And since most DNS servers cache the information they receive from the root servers for as long as a day, the root servers would have to be kept offline for many hours to have any effect on users.

By announcing its attack so far in advance, Anonymous has given the administrators of the DNS system plenty of time to prepare for the attack and react as it occurs, adds Dan Kaminsky, a well-known researcher who found and helped fix a major flaw in DNS in 2008. ”Most denial of service attacks aren’t proceeded by a warning,” he says. “I’ve talked to various network engineers who are responsible for keeping these servers up, and they’re aware of the threat. They have resources already in place. Anyway, [Anonymous'] disclosure is appreciated.”

Anonymous isn’t the first to try to take down DNS–in fact, it seems to happen every five years or so. In 2002, a similar denial of service attack hit the DNS root servers. A portion of the 13 were taken offline, but without visible results for users. In 2007, a pair of attacks on the root servers struck back-to-back, affecting six servers and taking two offline. But the other servers’ load-balancing technology stood up to the attacks.

All of this isn’t to say Anonymous has no chance of taking out DNS for any period of time–only that it’s extremely unlikely. It’s far more probable, says Kaminsky, that the announcement of ”Operation Global Blackout” is simply the kind of highly provocative, attention-grabbing stunt that often characterizes Anonymous’ actions. “It doesn’t go unnoticed that Anonymous is talking about this the day before April Fool’s,” he says.

He compares the hackers’ announcement to the flurry of attention around the Conficker Worm, which infected 10 million computers in 2009 and was widely reported to be set to launch some sort of attack on the Internet on April 1st of that year. The fact that Anonymous chose nearly the same date may be more than a coincidence. “When you set a deadline, the press gets all ‘doomsday is coming,’ and that’s more disruptive than any actual outage,” says Kaminsky. “Anonymous doesn’t need to do anything on March thirty-first. The mere threat is enough to keep people talking about them and what they represent.”